Should the feds protect political parties in cyberspace?

Editor's Note: This edition of Morning Cybersecurity is published weekdays at 10 a.m. POLITICO Pro Cybersecurity subscribers hold exclusive early access to the newsletter each morning at 6 a.m. To learn more about POLITICO Pro's comprehensive policy intelligence coverage, policy tools and services, click here.

Story Continued Below

PARTY ON — The National Republican Congressional Committee hack has reopened debate about what action, if any, the federal government should take to protect political parties from cyberattacks, Eric and Martin report. Despite recognizing political committees as rich targets for hackers because of the sensitive information they possess, lawmakers, cyber experts and former government and committee officials are divided over whether the government should help parties boost their cybersecurity.

The U.S. political system “needs to be considered part of our critical infrastructure just as much as a power plant or a bank,” according to Sen. Lindsey Graham. But others, like Sen. Tim Kaine, argued parties can beef up their defenses on their own. “I don’t know that there needs to be federal assistance,” said Kaine, who was on the Democratic ticket while the 2016 presidential race was under digital assault from Russia.

Former DHS officials were similarly split. The feds “should stay out of political parties’ networks,” said Bruce McConnell, the former No. 2 official in the agency’s cyber wing. “If a political party requests assistance, DHS can provide it,” according Neil Jenkins, who led the DHS election security work in 2016. “The government just has to provide the same services to all political parties to avoid any accusations of bias.” Pros can read the full story here.

Breaches

EQUIFAX REAX — Equifax was none too pleased with a scathing House Oversight Committee GOP investigative report on its massive 2017 breach. A company spokesperson took aim at the panel for giving it too little time to review the document, and said it contained “significant inaccuracies.” The company also said it was working to improve protections for consumers and customers. Meanwhile, Democrats also faulted the report, saying it didn’t make meaningful recommendations and that companies should face stiffer civil penalties for cybersecurity failures.

TECH MVPs — The White House on Monday expanded the criteria that agencies use to identify their high-value assets, moving from a single definition to a system where assets qualify if they meet at least one of three standards. Now, agencies can designate information systems as high-value assets if they are indispensable to the agency’s primary function; they play a “critical” role in the broader “civilian enterprise”; or they process or store extremely valuable data. The change came in an Office of Management and Budget memo that offered guidance on several aspects of the government’s HVA program. The memo also told agencies how to create governance mechanisms for HVA protection, prioritize resources for defending HVAs and write “remediation plans” for submission to DHS.

Critical Infrastructure

PANEL EXPLORES POWER FAILURE ‘BEYOND MODERN EXPERIENCE’ — From our friends at Morning Energy: The federal government is still unclear about which agencies would make decisions during a widespread electric grid outage and says there is no “common agreement” on how redundant energy, communications and water systems need to be in such a crisis, according to a White House panel. The President’s National Infrastructure Advisory Council offered seven recommendations in a 94-page report on Monday exploring the fallout of a power failure lasting weeks and at a “magnitude beyond modern experience, exceeding prior events in severity, scale, duration, and consequence.”

— Who does what? Some of the federal emergency responsibilities during a power outage were put with the Energy Department three years ago, but the report says that such a disaster would likely see the federal government exercise authorities that have rarely or never been used. “Infrastructure owners and operators and state leaders recognize this conceptually,” the report says, “yet it is unclear how command authorities will change, who will make decisions, and how resources will be coordinated.”

— Who does what, where? A prolonged power outage will require a “whole-of-nation approach,” the report says. “Without design basis guidance from the federal government, it is difficult for owners and operators to justify investments, receive regulatory approval, or even know what standards are realistic and sensible to build to because everything cannot be hardened. Sectors will also continue to build based on siloed or individual requirements without taking into account the larger context of national or other critical functions.”

— Stock the bunker! There’s also a need to improve individual preparedness, the panel argues. “Most preparedness campaigns call for citizens to be prepared for 72 hours in an emergency, but the new emerging standard is 14 days,” the report states, pointing to programs in Washington, Oregon and Hawaii.

A FEW SIMPLE ASKS — Any new trade deal between the U.S. and the European Union should prohibit laws that force tech companies to weaken their encryption to comply with warrants, the security firm Rapid7 said in comments filed Monday with the Office of the U.S. Trade Representative. In addition to creating new vulnerabilities, Rapid7 wrote, “market access rules requiring weakened encryption would create technical barriers to trade and put products with weakened encryption at a competitive disadvantage with uncompromised products.” A world with encryption backdoors would likely be “highly complex, vulnerable to misuse, and burdensome to businesses and innovators,” the company argued.

A new trade deal should also encourage both sides to modify laws that restrict “defensive cybersecurity activity” like processing and share cyber threat data, Rapid7 said. It cited the Wassenaar Arrangement, which drew the ire of the cyber research community over limitations on incident response and vulnerability disclosure and had to be fixed in 2017. A draft EU privacy law would similarly hinder threat data processing, the company said.

“Many regulations were enacted before defensive cybersecurity became a widely understood priority,” Rapid7 wrote in its comments. The company also urged USTR to push for provisions on increased capabilities for cyber incident response teams, “interoperable” cyber risk frameworks and industry-led internet of things security standards.

KEEPING TRACK— Policymakers and cyber experts sounded the alarm about a New York Times story Monday detailing how companies obtain intimate location data information from apps. “Jaw-dropping evidence that Americans are being kept in the dark about the personal data companies are collecting, what’s being done with it, and how much that data is worth,” tweeted Sen. Mark Warner, top Democrat on the Intelligence panel. “Consumers are paying with their data, but have no way to find out if they're getting a fair deal.”

Alex Stamos, Facebook’s former security chief, tweeted that the problem was even bigger: “The collective privacy violation across hundreds of millions of phones is a huge issue and a hard one to quantify. Even this great story is effectively anecdata based upon one dataset.” Here’s how to cut down on such tracking, or just make sure it never happens.

RECENTLY ON PRO CYBERSECURITY Google will shut down Google+ sooner than planned after a security vulnerability exposed 52 million users’ personal information. … A cyber espionage group dubbed Seedworm is increasing the pace of its attacks, Symantec found. … Rep. Robin Kelly introduced revised legislation mandating that the government only purchase internet of things devices that meet minimum security standards. … “LinkedIn co-founder backs $35 million voter data project in 'existential threat' to Democratic Party.” … Customs and Border Protection isn’t ensuring that it secures collected data with its device searches at ports of entry, among other problems identified by DHS’s inspector general. … European Union officials agreed on details of cybersecurity regulation.

TWEET OF THE DAY — The perfect target for Rudolph the Red-Team Hacker.

QUICK BYTES

— There are signs that a hostile foreign intelligence service was behind the Marriott breach. NBC News

— U.S. spies are worried about China’s advances in quantum computing. Yahoo

About The Author : Tim Starks

Tim Starks has written about cybersecurity since 2003, when he began at Congressional Quarterly as a homeland security reporter. While at CQ Roll Call, he mainly covered intelligence, but he also had stretches as a foreign policy reporter and defense reporter. In 2009, he won the National Press Club's Sandy Hume Memorial Award for Excellence in Political Journalism.

He left CQ Roll Call in March of 2015. Before coming to Politico he spent several months freelancing, writing for the Economist, the New Republic, Foreign Policy, Vice, Bloomberg and the Guardian.

He grew up in Evansville, Ind. and graduated from the University of Southern Indiana with a degree in print journalism. His first full-time reporting job was covering city hall for the Evansville Press, the former afternoon daily. He was a Pulliam Fellow at the Indianapolis Star, and participated in the Politics and Journalism Semester at the chain of newspapers anchored by the Las Vegas Review-Journal. He also was the Statehouse Bureau Chief at the Evansville Courier & Press and established the Washington bureau of the New York Sun. Some of his other freelance work has been for the Chicago Tribune, Glamour, Deutsche Welle, Ring and BookForum.

He is the founder of The Queensberry Rules, dubbed an "indispensable boxing blog" by the Wall Street Journal. He's also fond of fantasy basketball and real-life basketball — he is from Indiana, after all — and gets way too bent out of shape over people rooting against the home team or not walking on the right side of the sidewalk.